The Solaris group is a forum where peers share technical expertise, solve problems, and discuss issues related to the Solaris operating system, including OS-related malfunctions, security issues, and network performance.

How to grant user to unlock the locked account

i need to know how to grant specific user to unlock locked password "passwd -u username" for any user, i'm trying to use RBAC but i found that he also can change the password of root user, and it's not applicable in this case.

Thanks & Best Regards
Hossam Shaaban
System Administrator
EtisalatRelated Content
Most Popular White Papers
The Essential Guide to AIX Disaster Recovery
Death to PST files
More White Papers...

In the Spotlight
Technology & Life Integration: Fiction or Future Read the blog for news on Linux and more
View this thread online
Manage group e-mails
Create an FAQ on this topic
Tell us what you think
Unsubscribe from discussion
_.____.__

In general you want to separate users with such power
from other users. The sudo suggestion is good, because
sudo can be set to log the command in its entirety. RBAC
is a great concept, and is very good at granting less than
super powers to a user. The ability to use dtrace, for
example, without having to be root is good because the
debug environment is so very important. This is a privilege
that can be granted for the debug period, and then removed.

However, for general administrative needs, sudo is much the
better answer. For one, the specific command and argument
structure can be specified in the sudoers file. And, again, the
commands can be logged without having to turn on system
accounting for everything.

I ended up writing a captive ksh script for my service desk people in order for them to reset passwords on specific user accounts. I created a validuser.txt file that the script checks against. If the user is not in that list, the service desk cannot reset the password. They have the option of listing the validuser.txt file to see what users are allowed on the server. They do not have the ability to break out of the script. A bit tedious, but it works. The user base on the servers is pretty static so it is not a pain to maintain.

So your question is simple, either with sudo or RBAC how we can grant a normal user to change other user's password except root user ? If this is the question , then it is not possible to do . Yes, with the help of RBAC, we can change the other user passwords also ( even root ). So i suggest you can try checking software likes CTSA ... ( which can be intelligently controlled ) and manage multiple user accounts/password . If i able to find something, then i will post here ...

It can be done if you do as someone else suggested and don't give them
rights to run the passwd command as root, but do give them rights to run a
script as root. The script is something you would write that will call the
passwd command, but only if the parameter supplied is not root.